英文:
How to create a service that has network admin privileges through the Docker Engine API
问题
I am building a chaos engineering tool for Docker Swarms. I am wanting to use iproute2 so I can inject packet delays into the docker swarm. To do this I need to create a swarm service that has network admin privileges through the Docker Engine API (v1.43).
我正在构建一个用于 Docker Swarms 的混沌工程工具。我希望使用 iproute2,以便我可以向 Docker Swarm 注入数据包延迟。为了实现这一目标,我需要通过 Docker Engine API(v1.43)创建一个具有网络管理员权限的 Swarm 服务。
I can see that I can create a container with network admin privileges with CapAdd in HostConfig using the NET_ADMIN option (https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate). However in the Docker Engine API documentation for creating a service (https://docs.docker.com/engine/api/v1.43/#tag/Service/operation/ServiceCreate) in ContainerSpec there is also CapabilityAdd but there are only 4 options which are "CAP_NET_RAW", "CAP_SYS_ADMIN", "CAP_SYS_CHROOT", "CAP_SYSLOG". There is no NET_ADMIN option. Does anyone have any solutions to this or any workarounds I could use so that I can create a service with NET_ADMIN privileges?
我可以看到,我可以使用 HostConfig 中的 CapAdd 选项和 NET_ADMIN 选项创建具有网络管理员权限的容器(https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate)。然而,在创建服务的 Docker Engine API 文档中(https://docs.docker.com/engine/api/v1.43/#tag/Service/operation/ServiceCreate),在 ContainerSpec 中也有 CapabilityAdd 选项,但只有 4 个选项,它们是 "CAP_NET_RAW"、"CAP_SYS_ADMIN"、"CAP_SYS_CHROOT"、"CAP_SYSLOG"。没有 NET_ADMIN 选项。是否有人有解决方案或我可以使用的任何变通方法,以便我可以创建具有 NET_ADMIN 权限的服务?
英文:
I am building a chaos engineering tool for Docker Swarms. I am wanting to use iproute2 so I can inject packet delays into the docker swarm. To do this I need to create a swarm service that has network admin privileges' through the Docker Engine API (v1.43).
I can see that I can create a container with network admin privileges with CapAdd in HostConfig using the NET_ADMIN option (<https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate>). However in the Docker Engine API documentation for creating a service (<https://docs.docker.com/engine/api/v1.43/#tag/Service/operation/ServiceCreate>) in ContainerSpec there is also CapabilityAdd but there are only 4 options which are "CAP_NET_RAW", "CAP_SYS_ADMIN", "CAP_SYS_CHROOT", "CAP_SYSLOG". There is no NET_ADMIN option. Does anyone have any solutions to this or any workarounds I could use so that I can create a service with NET_ADMIN privileges?
答案1
得分: 1
我最终找到了解决方案并解决了自己的问题。如果其他人有类似的问题,我已经解释了我的解决方案。在Docker Engine API文档中没有显示,但要使服务 NET_ADMIN,只需使用:
"CapabilityAdd" : [
"CAP_NET_ADMIN"
]
我认为可以使用Linux功能文档中列出的任何功能(https://man7.org/linux/man-pages/man7/capabilities.7.html)。如果像我一样想要从容器内部干扰docker swarm网络,您应该将网络模式设置为"host",这样您可以与主机上运行的所有网络进行交互。您可以按照下面所示进行操作。
"Networks": [
{
"Target": "host"
}
]
英文:
I eventually reached a solution and solved my own problem. In case anyone else has a similar issue, I have explained my solution. It is not shown in the Docker Engine API documentation but to make the service NET_ADMIN, simply use:
"CapabilityAdd" : [
"CAP_NET_ADMIN"
]
I believe any of the capabilities listed here in the Linux capabilities documentation can be used (https://man7.org/linux/man-pages/man7/capabilities.7.html). Also if like me you are wanting to interfere with a docker swarm network from inside a container, you should set the network mode to "host", so that you can interact with all the networks running on the host. You can do this as shown below.
"Networks": [
{
"Target": "host"
}
]
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论